This document provides information on how to configure syslog on the
Cisco Adaptive Security Appliance (ASA) 8.x by using the Adaptive Security
Device Manager (ASDM) GUI. System log messages are the messages generated by
the Cisco ASA to notify the administrator on any change in the configuration,
changes in network setup, or changes in the performance of the device. By
analyzing the system log messages, an administrator can easily troubleshoot the
error by performing a root cause analysis.

Syslog messages are mainly differentiated based on their severity
level.

The information in this document is based on these software and
hardware versions:

Cisco ASA Version 8.2

Cisco ASDM Version 6.2

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

You can log the syslog messages to an internal buffer by specifying
the buffer size. You can also choose to save the buffer contents to Flash
memory by clicking Configure Flash Usage and defining the
Flash settings.

Buffered log messages can be sent to an FTP server before they are
overwritten. Click Configure FTP Settings and specify the
FTP server details as shown here:

Specify the interface that the server is associated with along with
the IP address. Specify the Protocol and
Port details depending on your network setup. Then, click
OK.

Note: Make sure that you have reachability to the syslog server from
the Cisco ASA.

The configured syslog server is seen as shown here. Modifications
can be done when you select this server, then click
Edit.

Note: Check mark the Allow user traffic to pass when TCP
syslog server is down option. Otherwise, the new user sessions are
denied through the ASA. This is applicable only when the transport protocol
between the ASA and the syslog server is TCP. By default, new network access
sessions are denied by the Cisco ASA when a syslog server is down for any
reason.

In order to define the type of syslog messages that are to be sent
to the syslog server, see the Logging Filter
section.

Specify a name in the Name field. Click
Add in the Message ID Filters pane to
create a new event list.

Specify the range of syslog message IDs. Here the TCP syslog messages
have taken for example. Click OK to complete.

Click OK again in order to revert back to the
Event Lists window.

Message Severity

Event lists can also be defined based on the message severity. Click
Add to create a separate event
list.

Specify the name and click
Add.

Select the severity level as
Errors.

Click OK.

Message Class

Event lists are also configured based on the Message Class. A message
class is a group of syslog messages related to a security appliance feature
that enables you to specify an entire class of messages instead of specifying a
class for each message individually. For example, use the auth class to select
all syslog messages that are related to user authentication. Some available
messages classes are shown here:

All—All event classes

auth—User Authentication

bridge—Transparent firewall

ca—PKI Certification Authority

config—Command Interface

ha—Failover

ips—Intrusion Protection Service

ip—IP Stack

np—Network Processor

ospf—OSPF Routing

rip—RIP Routing

session—User Session

Perform these steps to create an event class based on the
vpnclient-errors message class. The message class,
vpnc, is available to categorize all syslog messages
related to the vpnclient. Severity level for this message class is chosen as
"errors".

Click Add to create a new event list.

Specify the name to be relevant to the message class you create and
click Add.

Select vpnc from the drop-down
list.

Select the severity level as Errors. This
severity level is applicable for those messages that are logged for this
message class only. Click OK to revert back to the Add
Event List window.

It is also shown in the next screenshot that a new event list,
"user-auth-syslog", is created with a message class as "auth" and the severity
level for the syslogs of this specific message class as "Warnings". By
configuring this, the event list specifies all the syslog messages that are
related to the "auth" message class, with severity levels up
to "Warnings" level.

Note: Here, the term "up to" is of significance. When denoting the
severity level, keep in mind that all the syslog messages will be logged until
that level.

Note: An event list can contain multiple event classes. The
"vpnclient-errors" event list is modified by clicking Edit and
defining a new event class "ssl/error".

You can log the access rule hits using the ASDM. The default logging
behavior is to send a syslog message for all the denied packets. There will not
be any syslog message for the permitted packets and these will not be logged.
However, you can define a custom logging severity level to the access rule to
track the count of the packets that hits this access rule.

Perform these steps:

Select the required access rule and click
Edit.

The Edit the Access Rule window
appears.

Note: In this image, the Default option in the
Logging Level field indicates the default logging behavior
of the Cisco ASA. For more information about this, refer to the
Logging
Access List Activity section.

Note: By clicking the More options drop-down tab,
you can see the Logging Interval option. This option is
highlighted only when the above Enable Logging option is
ticked. Default value of this timer is 300 seconds. This setting is useful in
specifying the time-out value for the flow-statistics to be deleted when there
is no match for that access rule. If there are any hits, then ASA waits until
the Logging Interval time and sends that to the syslog.

The modifications are shown here. Alternatively, you can
double-click the Logging field of the specific access rule
and set the severity level there.

Note: This alternate method of specifying the Logging
Level in the same Access Rules pane by
double-clicking does work for only manually created access rule entries, but
not to the Implicit Rules.

This error is received when attempting to enable ASDM logging at the
Device Dashboard for any of the contexts.

"Connection Lost -- Syslog Connection Terminated
--"

When ASDM is used to connect directly to the admin context and ADSM
logging is disabled there, then switch to a subcontext and enable ASDM logging.
The errors are received, but the syslog messages are reaching fine to the
syslog server.